A botnet (contraction of "robot network ") is a clandestine network of connected devices (computers, smartphones, IoT objects, etc.) infected with malicious software (bots). These devices, called "Zombiesare controlled remotely by cybercriminals to perform cyber attacks contact detailssuch as sending spam or launching attacks by denial of service (DDoS), often without the knowledge of the owners of the compromised devices.
The botnet is run by a bot herder (pirate) via command and control servers (C2).
How it works
How it works- Architecture :
- Centralised model (C2) A single C2 server directs all the bots (e.g. via IRC/HTTP). Vulnerable to takedowns.
- Decentralised model (P2P) no central server. Bots communicate with each other (eg. Waledac), making the network resilient.
- Hybrid model combines C2 and P2P (e.g. Emotet).
- Lifecycle :
-
- Infection : Propagation via phishingexploits zero-dayor malvertising.
- Propagation self-replicating malware to recruit new bots.
- Activation The Herder bot sends commands (e.g. DDoS attack), data theft...).
- Communication protocols :
- HTTP/HTTPS masked in legitimate web traffic.
- DNS tunneling data concealment in DNS requests.
- Encryption : SSL/TLS to avoid detection.
๐ฟ Malicious uses
| Type of attack | Description | Examples |
|---|---|---|
| DDoS attacks | Servers overwhelmed by massive traffic (TCP/UDP floods). | Mirai (2016), GitHub (2018) |
| Data Theft | Extraction of sensitive data (identifiers, cryptocurrencies, documents). | Zeus (banks), TrickBot |
| Spam & phishing | Sending millions of fraudulent e-mails or malicious links. | Cutwail, Grum |
| Cryptojacking | Use of CPU/GPU to mine cryptocurrencies. | Smominru, Prometei |
| Advertising fraud | Fraudulent clicks on online ads to generate illegitimate revenue. | Methbot, 3ve |
| Proxy for other attacks | Concealment of the origin of attacks via bot IPs. | VPNFilter, Necurs |
๐ Historical examples
- Mirai (2016) IoT botnet that paralysed Dyn (DNS), affecting Twitter and Netflix.
- Emotet King of the botnets", rented out to gangs to distribute ransomware.
- Zeus Specialises in stealing banking data (more than 3.6 million PCs infected).
๐ Detection
Detection techniques
- Traffic analysis : detection of abnormal peaks or communications to suspect IPs.
- Honeypots Traps simulating vulnerable devices to study bots.
- Sinkholing redirecting bots to servers controlled by researchers.
Tools
- Snort (IDS), Wireshark (network analysis), Botnet Tracking Tools (Cyber Threat Alliance)
Legal action
-
- Coordinated takedowns (e.g. operation Dawned Itzel against Emotet in 2021).
- Sanctions against bot herders (e.g. arrest of the creator of Mirai).
๐ฅ Ethical and economic issues
- Financial impact Average cost of a DDoS attack: 120,000 $/hour (Kaspersky study).
- IoT security Weak passwords and non-updated firmware make it easy to infect.
- Geopolitical risks botnets used as weapons by states (e.g. Russia, North Korea).
๐ Protection and prevention
- For individuals :
- Regular updates, anti-virus, avoid suspicious attachments.
- For companies :
- Firewall generation (NGFW), network segmentation, employee training.
- Anti-DDoS services (Cloudflare, Akamai)
๐ฎ The future of botnets
- AI on the offensive adaptive bots that bypass defence systems via machine learning.
- Priority targets expansion into connected vehicles and critical infrastructures.
- Legislation Tougher laws on IoT security (e.g., in France). UK PSTI Act).
